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(IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
FORE THE BOARD OF PATENT APPEALS AND INTERFERENCES 

Serial No. : 09/655,229 Confirmation No. 7777 

Appellant : Chung Nan Chang 

Filed : September 5, 2000 

Title : SECURE CRYPTOGRAPHIC KEY EXCHANGE 

AND VERIFIABLE DIGITAL SIGNATURE 

TC/A.U. : 2131 

Examiner : Shin-Hon Chen 

Docket No. : 2174 
Customer No.: 23320 



MAIL STOP APPEAL BRIEF - PATENTS 
Commissioner for Patents 
Post Office Box 1450 
Alexandria, Virginia 22313-14 50 

Sir: 

REPLACEMENT APPEAL BRIEF TRANSMITTAL 

On September 7, 2005, the United States Patent and Trademark 
Office ("USPTO") dispatched a "Notification of Non-Compliant Appeal 
Brief (37 C.F.R. § 41.37)" for the patent application identified 
above which indicated that an "Appeal Brief" filed on June 20, 
2005, lacked: 

1. a concise explanation of the subject matter defined in 
each of the independent claims involved in the appeal, 
.referring to the specification by page and line number 
and to the drawings, if any; 

2. copies of the evidence submitted under 3 7 C.F.R. 
§§ 1.130, 1.131, or 1.132 or of any other evidence 
entered by the examiner and relied upon by appellant in 
the appeal ; and 
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3 . copies of the decisions rendered by a court or the Board 
in the proceeding identified in the Related Appeals and 
Interferences section of the brief. 
A copy of the September 7, 2005, "Notification of Non-Compliant 
Appeal Brief (37 C.F.R. § 41.37)" is attached hereto. 

Enclosed herewith are three (3) copies of a "Replacement 
Appeal Brief" for this patent application which Appellant submits 
fully complies with the September 7, 2005, "Notification of Non- 
Compliant Appeal Brief (37 C.F.R. § 41,37)," Specifically: 

1. pages 3-5 and 7-8 of the accompanying "Replacement Appeal 
Brief" set forth a concise explanation of the subject 
matter defined in each of the independent claims involved 
in the appeal, and footnotes 1-14 on pages 3-8 refer to 
the specification by page and line number and to the 
drawings ; 

2 . a . Appellant has submitted no evidence under 37 C.F.R. 

§§ 1.130, 1.131/ or 1.132 to be included in an 
"Evidence Appendix" to the "Replacement Appeal 
Brief . " 

b. Appellant includes in an "Evidence Appendix" to the 
"Replacement Appeal Brief" a copy of United States 
Patent No. 5,804,703 entitled "Method and Apparatus 
for Digital Signature Authentication" which is 
evidence entered by tje Examiner on "Information 
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Disclosure by Applicant" PTO/SB/08A Form which 
accompanied a March 8, 2004, Office Action . 
3 . Appellant is unable to attach as appendices to the 
accompanying "Replacement Appeal Brief" copies of the 
decisions rendered by a court or the Board in the 
proceeding identified in the Related Appeals and Inter- 
ferences section of the brief because, as set forth on 
page 2 of the original "Appeal Brief" and of the "Re- 
placement Appeal Brief," there have been no related 
appeals or interferences . 

/// 
/// 
/// 
/// 
/// 
/// 
/// 
/// 
/// 
/// 
/// 
/// 
/// 



Docket no. 2174 



-3- 



October 5, 2005 



Appl. No. 09/655,229 

Response Dated October 5, 2 005 

Appeal of Office Action dated January 18, 2005 

Appellant believes that no fee is required for submitting the 
accompanying "Replacement Appeal Brief." However, if any addition- 
al fee is required for submitting the accompanying "Replacement 
Appeal Brief," the Commissioner for Patents is hereby authorized to 
charge any deficiency or credit any surplus in any relevant fee to 
Deposit Account No. 19-0735. A duplicate copy of this transmittal 
letter is enclosed herewith. 




Respectfully submitted 
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Donald E. Schreiber 
A Professional Corporation 
Post Office Box 2926 
Kings Beach, CA 96143-2926 



Telephone: (530) 546-6041 



Attorney for Appellant 
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-The MAILING DATE of this communication appears on the cover sheet with the correspondence address-- 



The Appeal Brief filed on 20 June 2005 is defective for failure to comply with one or more provisions of 37 CFR 41 .37. 

To avoid dismissal of the appeal, applicant must file anamended brief or other appropriate correction (see MPEP 
1205.03) within ONE MONTH or THIRTY DAYS from the mailing date of this Notification, whichever is longer. 
EXTENSIONS OF THIS TIME PERIOD MAY BE GRANTED UNDER 37 CFR 1.136. 

1 . □ The brief does not contain the items required under 37 CFR 41 .37(c), or the items are not under the proper 

heading or in the proper order. 

2. □ The brief does not contain a statement of the status of all claims, {e.g., rejected, allowed, withdrawn, objected to, 

canceled), or does not identify the appealed claims (37 CFR 41.37(c)(1)(iii)). 

3. □ At least one amendment has been filed subsequent to the final rejection, and the brief does not contain a 

statement of the status of each such amendment (37 CFR 41.37(c)(1)(iv)). 

4. H (a) The brief does not contain a concise explanation of the subject matter defined in each of the independent 

claims involved in the appeal, referring to the specification by page and line number and to the drawings, if any, 
by reference characters; and/or (b) the brief fails to: (1) identify, for each independent claim involved in the 
appeal and for each dependent claim argued separately, every means plus function and step plus function under 
35 U.S.C. 112, sixth paragraph, and/or (2) set forth the structure, material, or acts described in the specification 
as corresponding to each claimed function with reference to the specification by page and line number, and to 
the drawings, if any, by reference characters (37 CFR 41.37(c)(1)(v)). 

5. □ The brief does not contain a concise statement of each ground of rejection presented for review (37 CFR 

41.37(c)(1)(vi)) 

6. □ The brief does not present an argument under a separate heading for each ground of rejection on appeal (37 CFR 

41.37(c)(1)(vii)). 

7. □ The brief does not contain a correct copy of the appealed claims as an appendix thereto (37 CFR 

41.37(c)(1)(viii)). 

8. El The brief does not contain copies of the evidence submitted under 37 CFR 1.130, 1.131, or 1.132 or of any 

other evidence entered by the examiner and relied upon by appellant in the appeal, along with a 
statement setting forth where in the record that evidence was entered by the examiner, as an appendix 
thereto (37 CFR 41.37(c)(1)(ix)). 

9. IS The brief does not contain copies of the decisions rendered by a court or the Board in the proceeding 

identified in the Related Appeals and Interferences section of the brief as an appendix thereto (37 CFR 
41.37(c)(1)(x)). 

tO.D Other (including any explanation in support of the above items): 
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"Express Mail" mailing Number Date of Deposit 

I hereby certify that this correspondence is being deposited with the Uni- 
ted States Postal Service "Express Mail Post Office to Addressee" service under 
37 CFR 1.10 on the date indicated above addressed to: 



MAIL STOP APPEAL BRIEF - PATENTS 
Commissioner for Patents 
Post Office Box 1450 
Alexandria, Virginia 22313-1450 




Dated: { jT ^^^^Cf, 200^ 



Donald E. Schreiber 
A Professional Corporation 
Post Office Box 2926 
Kings Beach, CA 96143-2926 
(530) 546-6041 
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Appellant 
Filed 
Title 
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Docket No. 
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09/655, 229 
Chung Nan Chang 
September 5, 2000 

SECURE CRYPTOGRAPHIC KEY EXCHANGE 
AND VERIFIABLE DIGITAL SIGNATURE 
2131 

Shin-Hon Chen 

2174 
23320 



Confirmation No. 7777 



MAIL STOP APPEAL BRIEF - PATENTS 
Commissioner for Patents 
Post Office Box 1450 
Alexandria, Virginia 22313-1450 



Sir: 

REPLACEMENT APPEAL BRIEF . 

Pursuant to 37 C.F.R. § 1.192, through his undersigned 
attorney the Appellant submits in triplicate the following 



replacement brief appealing a rejection of claims that appears in 
an Office Action dated January 18, 2 005. 



Real Party in Interest 

The real parties in interest are: 

1. the inventor, Chung Nan Chang; and 

2. an assignee of fifty percent (50%) interest in the patent 
application, On Line Post Corp. Fl . 12, No. 123, Sec. 2, Chung 
Hsiao E. Road, 100 Taipei, Taiwan R.O.C. 

Related Appeals and Interferences 

Appellant is unaware of any presently pending appeal or inter- 
ference that is related to this appeal. 

Status of the Claims 

Claims 1-29, set forth in Appendix I hereto, are pending in 
this application. Claims 1-29 have been finally rejected, and that 
rejection of claims is being appealed. 

Status of Amendments 

Claims 1-29 are those originally filed on September 5, 2000. 

Summary of Claimed Subject Matter 

Claims 1-29 include four (4) distinct categories of claims. 
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1. Claims 1-9 encompass a method by which cryptographic units S 
and R, i.e. sender and receiver, mutually establish a crypto- 
graphic key K . 

2. Claims 10-18 encompass a system adapted for communicating as 
an encrypted cyphertext message M a plaintext message P after 
cryptographic units included in the system establish a crypto- 
graphic key K . 

3. Claims 19-27 encompass a cryptographic unit adapted for: 

a. inclusion in a system for communicating as an encrypted 
cyphertext message M a plaintext message P; and 

b. establishing a cryptographic key K . 

4. Claims 28-29 encompass a method by which a receiving unit R 
authenticates a sender's digital signature . 

For establishing the cryptographic key K , each independent 
claim 1, 10 and 19 includes the following five (5) characteristic 
steps . 

1. A receiving unit R transmits for storage in a publicly 
accessible repository a plurality of public quantities . 1 

1 Independent claim 1 element a 

Independent claim 10 element c.i.(l) 
Independent claim 19 element a.i.(l) 
See in FIG. 1 : 

a) an arrow connecting the publication port 66 of the 
quantity source 62 of the receiver's cryptographic 
unit 12b to the public repository 67 together with 
the pending application ' s text on page 17 at lines 
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2 . A sending unit S retrieves the plurality of public quantities 
from the publicly accessible repository . 2 

3 . The sending unit S uses at least some of the plurality of 
public quantities in computing and transmitting to the 
receiving unit R a plurality of sender's quantities. 3 



16-19; and 

b) arrows arranged in an L-shape connecting the publi- 
cation port 68 of the key generator 52 of the 
receiver's cryptographic unit 12b to the public re- 
pository 67 together with the pending application's 
text beginning on page 17 at line 24 and continuing 
to page 18 at line 5. 

Independent claim 1 element b.i 
Independent claim 10 element c.ii 
Independent claim 19 element a.ii 

See in FIG. 1 an L-shaped arrow connecting the public re- 
pository 67 to the public-key retrieval -port 69 of the 
key generator 52 of the sender's cryptographic unit 12a 
together with the pending application's text on page 18 
at lines 12-16. 

Independent claim 1 element b.ii 
Independent claim 10 element c.ii.(l) 
Independent claim 19 element a.ii.(l) 

See in FIG. 1 a sequence of four (4) arrows respectively 
connecting the output port 72 of the key generator 52 of 
the sender's cryptographic unit 12a to the first input 
port 32 of the first transceiver 34a, the first output 
port 36 of the first transceiver 34a to the insecure 
communication channel 38, the insecure communication 
channel 38 to the first input port 32 of the second 
transceiver 34b and the first output port 36 of the 
second transceiver 34b to the input port 74 of the key 
generator 52 of the receiver's 's cryptographic unit 12b 
together with the pending application's text beginning on 
page 18 at line 16 and continuing to page 19 at line 2. 
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4 . The sending unit S uses at least one of the plurality of 
public quantities in computing the cryptographic key K . 4 

5. The receiving unit R uses at least one of the plurality of 
sender 1 s quantities received from the sending unit S in 
computing the cryptographic key K . 5 

The preceding five characteristic steps , excerpted from independent 
claims 1, 10 and 19, clearly encompass only establishing a crypto- 
graphic key K by both sender and receiver . Accordingly, the 
preceding five characteristic steps do not encompass transmitting 
either : 

1. an encrypted plaintext, i.e. a cyphertext; or 

2. a digital signature. 

The following diagram, an annotated, redacted copy of the 
patent application's FIG. 1, graphically illustrates common charac- 



Independent claim 1 element b.iii 
Independent claim 10 element c.ii.(2) 
Independent claim 19 element a.ii.(2) 

See the key generator 52 of the sender's cryptographic 
unit 12a in FIG. 1 together with the pending 
application's text on page 19 at lines 9-11. 

Independent claim 1 element c. 
Independent claim 10 element c.i.(2) 
Independent claim 19 element a.i.(2) 

See the key generator 52 of the receiver's cryptographic 
unit 12b in FIG. 1 together with the' pending 
application's text on page 19 at lines 3-8. 
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teristic steps 1-5 summarized above in the context of the patent 
application's detailed description. 



[Cryptographic 
I Device 



© 



Secure Key 
Generate k 



I Sou rce 1 



® 



rcnsceiver 



SENDER 



Insecure 
Channel L 



Public 
Repository 



© 



JCryptographic 



5 ) R 



Transceiver) ! 



^Secure Key 
Generator 



r 

.L 



a, 1. Or 

e 



a, P t , 

© 



JJUubnfiTy] . 
1 Source j 

RECEIVER 



As i 1.1 us t rated ' above : 
1. the receiver, enclosed within, the dashed box ax tvhe^right hand 
side of the preceding illustration, transmits for storage in 
the public repository the plurality of quantities: 

a. a generated by the quantity source; 6 and 

b. P i and P 2 generated by the secure key generator; 7 



6 See the pending application at page 17, lines 16-19. 

7 See the pending appl icat ion at page IS, lines 1-5. 
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2. the sender, enclosed within the dashed box at the left hand 
side of the preceding illustration, retrieves the plurality of 
quantities a, P 1 and P 2 from the public repository; 8 

3. the sender computes and transmits to the receiver two (2) 
quantities V 1 and V 2 using at least some of the plurality of 
quantities a, P 1 and P 2 retrieved from the public repository; 9 

4 . the sender computes the cryptographic key K using at least 
some of the plurality of quantities a, P 1 and P 2 retrieved from 
the public repository; 10 and 

5. the receiver computes the cryptographic key K using at least 
one of the quantities V 1 and V 2 received from the sender. 11 

For authenticating a sender's digital signature, independent 
claim 28 requires the following steps performed by a receiving 
unit . 



See the pending application 

9 See the pending application 
19, line 2. 

10 See the pending application 

11 See the pending application 
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1 . Retrieving a plurality of public quantities from a publicly 
accessible repository which the sending unit has previously 
stored there. 12 

2 . Using the digital signature , which the sending unit transmits 
together with message M M, " and the plurality of public quanti- 
ties , evaluating expressions of at least two (2) different 
verification relationships. 13 



See in FIG. 1 : 

a) an arrow connecting the publication port 66 of the 
quantity source 62 of the receiver's cryptographic 
unit 12b to the public repository 67 together with 
the pending application's text on page 21 at lines 
18-21; 

b) arrows arranged in an L- shape connecting the publi- 
cation port 68 of the key generator 52 of the 
receiver's cryptographic unit 12b to the public re- 
pository 67 together with the pending application's 
text beginning on page 21 at line 21 and continuing 
to page 22 at line 3; and 

c) an L-shaped arrow connecting the public repository 
67 to the public-key retrieval-port 69 of the key 
generator 52 of the sender's cryptographic unit 12a 
together with the pending application's text on 
page 21 at lines 14-15. 

See in FIG. 1 : 

a) the key generator 52 of the sender's cryptographic 
unit 12b together with the pending application's 
text on page 22 at lines 4-13; and 

b) the key generator 52 of the receiver's cryptograph- 
ic unit 12a together with the pending application's 
text on page 22 at lines 15-22. 
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3. Comparing pairs of results obtained by evaluating the expres- 
sions of the at least two (2) different verification relation- 
ships . 14 



Grounds of Rejection 
to Be Reviewed on Appeal 

1. Whether method, system and cryptographic unit claims 1-27 are 
anticipated under 35 U.S.C. § 102(b) by United States Patent 
No. 5,804,703 entitled "Method and Apparatus for Digital 
Signature Authentication" which issued September 8, 1998, on 
an application filed by Richard E. Crandall ("the Crandall 
patent") . 

2. Whether digital signature claims 28 and 29 are anticipated 
under 35 U.S.C. § 102(b) by the Crandall patent. 

Argument 

First, this patent application's prosecution history contains 
irrefutable proof that Appellant's communications either have not 
been read, or have not been understood. 

For example, a March 28, 2005, Advisory Action 15 contains the 
following statement . 



See the pending application's text beginning on page 22 
at line 23 and continuing to page 23 at line 5. 

The Advisory Action replies to a March 17, 2 005, response 
to the final rejection of claims 1-29 appearing in a 
January 18, 2005, Office Action. 
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Regarding to applicant's arguments , applicant argues that 
the storage of any information or data into the public 
source either by a sender or by a receiver is not" 
disclosed in the Crandall reference in its text or 
implicitly . However, Crandall discloses the public 
source contains the public keys of the sender and 
receiver, which inherently discloses that the public keys 
are transmitted by the sender and receiver (Crandall. 
column 20 lines 15-24: the source of information may be 
transmitted between sender and receiver) . (Emphasis 
supplied . ) 

Page 2 of the March 17, 2005, response, to which the preceding 
Advisory Action excerpt replies, contains the following admission 
by Appellant . 

Specifically, the Applicant finds that the " public source 
813 " disclosed in the cited reference receives, either 
expressly or implicitly: 

1. only ourPub from a sender; and 

2. only theirPub from a receiver. 

Since the preceding excerpt from the March 17, 2005, response 
to the January 18, 2005, Office Action's final rejection of claims 
1-29 expressly contradicts the statement excerpted above from the 
March 28, 2005, Advisory Action, clearly Appellant ' s communications 
either have not been read, or have not been understood. 



The Cited Reference 

Proceeding now to the substance of the January 18, 2 005, 

Office Action's final rejection of claims 1-27, the Crandall patent 

discloses that: 

[i]n the following description, the terms " our " and 
" our end " refer to the sender . The terms " their " and 
"their end" refer to the receiver. This convention is 
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used because the key exchange of the present invention 
may be accomplished between one or more senders and one 
or more receivers. Thus, " our " and " our end " and " their " 
and " their end " refers to one or more senders and 
receivers, respectively . 

The public key exchange of the elliptic curve 
cryptosystem of the present invention is illustrated in 
the flow diagram of FIG. 3. 

Step 301 

At our end, a public key is computed: our Pub e F pk 
ourPub = (ourPri) ° (x 1; yj Equation (12) 

Step 302 

At their end, a public key is computed: theirPub e 

F pk 

theirPub = (theirPri) 0 (x x , yj Equation (13) 

Step 303 

The two public keys ourPub and theirPub are pub- 
lished, and therefore known to all users . (Col. 8, lines 
1-23) (Emphasis supplied. ) 

A separate^ source 8 13 16 stores publicly known infor- 
mation, such as the public keys "ourPub" and "theirPub" 
of sender 801 and receiver 802, the initial point (x 2 , 
y x ) , the field F pk , and curve parameter "a". This 
[public] source [813] of information may be a published 
directory, an on-line source for use by computer systems, 
or it[, i.e. the public source 813,] may transmitted 
between sender and receiver over a non- secure transmis- 
sion medium . The public source 813 is shown symbolically 
connected to sender 801 through line 815 and to receiver 
802 through line 814. 17 



Depicted both in FIG. 8 and in FIG. 12. "FIG. 8 is a 
block diagram of the present invention." (Col. 12, line 
51.) "FIG. 12 illustrates a block diagram for implement- 
ing the digital signature scheme of the present inven- 
tion." (Col. 19, lines 34-35.) 

Note that lines 814 and 815, both in FIGs. 8 and 12, in 
all instances terminate in arrows that are directed away 
from rather than toward the public key source 813. Thus, 
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In operation, the sender and receiver generate a 
common one time pad for use as an enciphering and 
deciphering key in a secure transmission. The private 
key of the sender, ourPri, is provided to the elliptic 
multiplier 805, along with the sender 1 s public key, 
theirPub 18 . The elliptic multiplier 805 computes an 
enciphering key e K fr Q m (ourPri) ° (theirPub) (mod p) . 
(Col . TT, lines 9-24 . ) (Emphasis supplied.) 

The receiver 802 generates a deciphering key D K 

using the receiver's private key, theirPri . TheirPri is 
provided from the private key source 808 to the elliptic 
multiplier 804, along with sender's public key, ourPub , 
(from the public source 813)"! Deciphering key D K is gen- 
erated from (theirPri) ° (ourPub) (mod p) . The deciphering 
key D K is equal to the enciphering key e K due to the 
abelian nature of the elliptic multiplication function. 
Therefore, the receiver 802 reverses the encryption 
scheme, using the deciphering key D K , to recover the 
plaintext message Ptxt from the ciphertext message C. 
(Col. 13, lines 31-40.) (Emphasis supplied.) 

A separate source 813 stores publicly known informa- 
tion, such as the public keys " ourPub " and " theirPub " of 
sender 1201 and receiver 1202, the initial point (x lf 
y x ) , the field F pk , and curve parameter "a" . This source 
of information may be a published directory, an on-line 
source for use by computer systems, or it may transmitted 
between sender and receiver over a non-secure transmis- 
sion medium. The public source 813 is shown symbolically 
connected to sender 1201 through line 815 and to receiver 
1202 and hasher 1206 through lines 814 and 1218 respec- 
tively. 

In operation, the sender and receiver generate a 
common one time pad for use as an enciphering and 



FIGs. 8 and 12 teach away from storage of information or 
data either by the sender 801 or 12 01 or by the receiver 
802 or 1202 into the "public source 813." Consequently, 
the only disclosure of information or data storage into 
the "public source 813" by either the sender 801 or 1201 
or by the receiver 802 or 12 02 must reside in the text oT 
the Crandall patent " 

18 It appears that this text should correctly read "along 
with the sender 1 a receiver ' s public key, theirPub." 
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deciphering key in a secure transmission, as described 
above. (Col. 20, lines 15-27.) (Emphasis supplied.) 

The receiver 12 02 generates a deciphering key D K 

using the receiver's private key, theirPri . TheirPri is 
provided from the private key source 808 to the elliptic 
multiplier 806, along with sender's public key, ourPub, 
(from the public source 813) . Deciphering key D K is 
generated from (theirPri) ° (ourPub) (mod p) . The deci- 
phering key D K is equal to the enciphering key e K due to 
the abelian nature of the elliptic multiplication 
function. Therefore, the receiver 12 02 reverses the 
encryption scheme, using the deciphering key D K , to 
recover the plaintext message from the ciphertext message 
C. 

The elliptic multiplier 806 of the receiver 1202 
receives point u from the nonsecure channel 816. The 
elliptic multipler (sic) 806 generates point Q and 
provides it to comparator 1208. Hasher recieves (sic) 
the ciphertext message C and point P from the nonsecure 
channel 816 and the purported senders public key ourPub 
from source 813 and generates point R, which it provides 
to comparator 1208. Comparator 1208 compares points Q 
and R and if they match, the signature is assumed to be 
valid. In the present invention, the comparison of 
points Q and R is accomplished using the optimized scheme 
using x values described above. (Col. 20, lines 42-63.) 
(Emphasis supplied. ) 

A redacted copy of FIG. 12 from the Crandall patent appears 
below that has been annotated to illustrate those portions of that 
reference's disclosure which correspond most nearly: 

1. to the characteristic steps 1-5 identified above in indepen- 
dent claims 1, 10 and 19; and 

2. to the annotated, redacted preceding copy of FIG. 1 from the 
present application . 19 



Note that in the published Crandall patent both FIG. 8 
and FIG. 12 fail to graphically illustrate storage of 
either ourPub or theirPub into the public source 813. To 
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As illustrated above, the Crandall patent expre ssly 
discloses only that: 

1. using a public initial point (x l f y j , the receiver , enclosed 
within the dashed box at the right hand side cf the preceding 
illustration, computes using equation (12) and transmits for 
storage in the p ublic source 813 only a s i ng 1 e quan t i t y 
theirPub 20 ; 



rectify this apparent omission, the redacted copy of FIG. 
12 from the Crandall patent includes annotations which 
indicate storing ourPub or theirPub into the public 
source 813 . 

20 See the Crandall patent at col. 8, lines 8-23, 
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2 . the sender , enclosed within the dashed box at the left hand 
side of the preceding illustration, retrieves from the public 
source 813 a plurality of quantities , at least: 

a . their Pub ; 

b. the initial point (x 1 7 y j ; and 

c. a fast class number p 21 ; 

3. under one interpretation of the Crandall patent, using the 

public initial point (x 1# y x )_, the sender computes using 

equation (13) and transmits to the receiver , via the public 
source 813 , only a single quantity ourPub 22, 23 ; or 

3 1 . under the interpretation of the Crandall patent which appears 
on page 3 of the January 18, 2005, Office Action, using at 
least the public quantities " their Pub , " the initial point (x 1# 
y^, the field Fp k , curve parameter "a, " and {X 1 /l)_ / the sender 
computes and transmits to the receiver , via nonsecure channel 
816 : 

a. a ciphertext message C; and 



21 See the Crandall patent at col. 8, lines 8-23, and col. 
13, lines 23-24. 

22 For reasons explained in greater detail below, this 
interpretation of the Crandall patent accords most nearly 
with a requirement latent in the fifth characteristic 
step for independent claims 1, 10 and 19. 

23 See the Crandall patent at col. 8, lines 8-23. 
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b. a digital signature (u,P) 24 ; 

4. the sender computes , using the public quantities theirPub and 
p, the cryptographic key, i.e. encryption key e K 25 from 
(ourPri) 0 ( theirPub ) ( mod p ) 26 ; and 

5. the receiver computes , using the public quantities ourPub and 
p, the cryptographic key K, i.e. de c iphe r ing key d K from 
(theirPri) ° ( our Pub ) ( mod p ) 27 . 

A step-by-step summary, set forth below, compares the 
preceding analysis of the Crandall patent with characteristic steps 
1-5 identified above for independent claims 1, 10 and 19. 
1. The Crandall patent's text expressly discloses that the 
receiver transmits only a single quantity , theirPub , for 
storage in a publicly accessible repository , i.e. the public 
source 813, rather than the plurality of public quantities 



For reasons explained in greater detail below, this 
interpretation of the Crandall patent: 

1. extends into portions of its disclosure beyond 
establishing a cryptographic key K; and 

2 . is inconsistent with a requirement latent in the 
fifth characteristic step for independent claims 1, 
10 and 19. 

An error apparently exists in the Crandall patent's FIG. 
12 where the symbol M c K " appears instead of the symbol 
"e K " that appears in FIG. 8. To conform this redacted, 
annotated copy of FIG. 12 with the text of the Crandall 
patent in column 20 at lines 47-49, the redacted, 
annotated copy of FIG. 12 includes the symbol "e K ." 

See the Crandall patent at col. 13, lines 23-24 

See the Crandall patent at col. 20, lines 46-47 
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expressly required by the texts of independent claims 1, 10 
and 1 9 . 

2. The Crandall patent correctly discloses that the sender re- 
trieves a plurality of public quantities , i.e. their Pub , the 
initial point (x 1 # y 1 ) and the fast class number p ; , from the 
publicly accessible repository , i.e. the public source 813. 

3. Under one interpretation, the Crandall patent's text expressly 
discloses that, using at least some of the plurality of public 
quantities , the sender computes and transmits to the receiver, 
via the public source 813, only a single quantity , ourPub . 

3' . Under the interpretation that appears in the January 18, 2005, 
Office Action, the Crandall patent arguably discloses that, 
using at least some of the plurality of public quantities , the 
sender computes and transmits to the receiver, via the 
nonsecure channel 816 , a plurality of sender quantities, i.e. : 

a. the ciphertext message C; and 

b. the digital signature (u,P). 

However, pending claims 1-27 encompass only establishing a 
cryptographic key K . Consequently, the Office Action's inter- 
pretation of the Crandall patent relies upon portions of the 
reference's disclosures which extend beyond establishing the 
enciphering key e k and the deciphering key d k . 
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4. The Crandall patent correctly discloses that the sender uses 
a plurality of public quantities , i.e. theirPub and p, in 
computing the cryptographic key, i.e. encryption key e K . 

5. Under interpretation 3 above, the Crandall patent discloses 
only that the receiver uses a plurality of public quantities , 
i.e. ourPub and p, in computing the cryptographic key, i.e. 
deciphering key d K , not a plurality of sender quantities . 
Interpretation 3' above, as explained in greater detail below 
causes the Crandall patent to disclose a cryptosystem that 
provides no secur i ty . 

Consequently, with respect to independent claims 1, 10 and 19 as 
analyzed above, the Crandall patent: 

1. fails to expressly disclose characteristic step 1; 

2. either: 

a. fails to disclose characteristic step 3; or 

b. requires an interpretation which relies upon matter that 
is beyond the scope of claims 1-27; and 

3. either: 

a. fails to disclose characteristic step 5; or 

b. discloses a cryptosystem that provides no security. 
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The Crandall Patent's Receiver 
Stores Only theirPub Into The 
Public Source 813 



In rejecting pending independent claims 1 under 3 5 U.S.C. 
§ 102(b) as being anticipated by the Crandall patent, citing both 
column 20 at lines 15-24 and FIG. 12 in the Crandall patent the 
January 18, 2 005, Office Action, on page 3, alleges that the 
Crandall patent's receiver transmits for storage "in a publicly 
accessible repository a plurality of public quantities . " 

Previously, it has been established that both FIG. 8 and FIG. 
12 of the Crandall patent fail to graphically illustrate storage of 
anything into the publicly accessible repository. That is, all 
arrows in FIGs. 8 and 12 point away from the public source 813. 
Thus, if the Crandall patent discloses transmission for storage "in 
a publicly accessible repository a plurality of public quantities" 
as the January 18, 2005, Office Action alleges, such disclosure 
must occur in the Crandall patent's text, i.e. in column 20 at 
lines 15-24. 

Set forth below is the text of the Crandall patent excerpted 

from column 20 at lines 15-24. 

A separate source 813 stores publicly known informa- 
tion, such as the public keys " our Pub " and " theirPub " of 
sender 12 01 and receiver 12 02, the initial point (x 1f 
YiK the field F p k , and curve parameter "a" . This source 
of information may be a published directory, an on-line 
source for use by computer systems, or it may transmitted 
between sender and receiver over a non- secure transmis- 
sion medium. The public source 813 is shown symbolically 
connected to sender 1201 through line 815 and to receiver 
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1202 and hasher 1206 through lines 814 and 1218 respec- 
tively. (Col. 20, lines 15-24.) (Emphasis supplied.) 

The preceding excerpted text clearly establishes that the 

public source 813 stores a plurality of public quantities. 

However, the preceding text fails to disclose whether the plurality 

of public quantities are stored in the public source 813 by: 

1. the receiver; 

2 . the sender; or 

3. a trusted third party. 

The text of the Crandall patent in column 8 at lines 8-23 states 
only that the receiver stores theirPub into the public source 813 , 
and that the sender stores ourPub there also . Since "for anticipa- 
tion under 35 U.S. C. § 102, the reference must teach every aspect 
of the claimed invention either explicitly or impliedly 28 ," because 
the Crandall patent explicitly discloses only the storage of 
theirPub and ourPub into the public source 813, the reference fails 
to anticipate independent claim 1 unless the^ receiver impliedly 
stores at least one quantity into the public source 813 in addition 
to theirPub . 

Regarding the possibility that the Crandall patent might 
"impliedly" disclose that the receiver stores into the public 
source 813 at least one quantity in addition to theirPub, the text 

28 Manual of Patent Examining Procedure ("MPEP") Eighth 
Edition Revision 1, February 2003, § 706.02, p. 700-21, 
emphasis supplied. 
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of the Crandall patent in column 7 at lines 30-31 in a section of 

the reference entitled "Elliptic Curve Algebra" expressly states: 

[N]ext, parameters are established for both sender 
and recipient. 

The preceding excerpt from the Crandall patent expressly discloses 

that parameters , i.e. the public quantities present in the public 

source 813 in addition to theirPub and ourPub, are not established 

by either the sender or the recipient (receiver) . Rather, the 

"parameters are established for both sender and recipient," 

presumably by some trusted third party. 

Confirming this interpretation of the preceding text excerpted 

from column 7 of the Crandall patent, that reference in column 16, 

lines 15 through 22, criticizes the RSA cryptosystem because a 

"user cannot generate its own private key in the RSA system. " 

Contrasting the Crandall patent's elliptic curve cryptosystem with 

the RSA cryptosystem, the Crandall patent in column 16 declares: 

[t]he present invention does not require that the private 
key be a prime number. Therefore, users can generate 
their own private keys , so long as a public key is 
generated and published using correct and publicly 
available parameters p, F o k f (X 1 /Z) and "a"" ! 

Thus, the text in column 16 discloses that: 

1. there exists cryptosystems which are so mathematically 
difficult that a "user" cannot generate their own private key, 
no less generate their own public key; 
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2. for such cryptosystems, a trusted third party must establish 
both the private and public keys; and 

3 . announces as a significant advance in cryptosystem technology 
a user's ability to select their own private key . 

If a user's ability to select their own private key consti- 
tutes a significant advance in cryptosystem technology warranting 
specific mention, wouldn't the Crandall patent be reasonably 
expected to similarly expressly announce in its text a user's 
ability to establish the elliptic curve cryptosystem ' s parameters 
such as p, F pk , (XjZ) and "a." The only reasonable inference which 
can be drawn from the Crandall patent's failure to specifically 
describe a user's ability to establish the cryptosystem ' s parame- 
ters is that establishing those parameters generally lies beyond a 
user's capability due to the mathematical complexity and difficulty 
of the esoteric elliptic curve cryptosystem. Consequently, the 
text excerpted above from column 16 confirms the statement 
excerpted from column 7 that the " parameters [stored in the public 
source 813 other than theirPub and ourPub] are established for both 
sender and recipient , " probably by a highly mathematically-skilled, 
trusted third party. 

Consequently, the text of the Crandall patent expressly 
discloses that : 

1 . the receiver stores only a single quantity, i.e, theirPub, 
into the public source 813; and 

-22- 
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2 . other quantities, i.e. the cryptosystem' s parameters, are 
stored into the public source 813 for both sender and receiv- 
er , apparently by a trusted third party. 

Problems Inherent In The 
Crandall Patent's Alleged 
Plurality of Sender's Quantities 

In rejecting pending independent claims 1 under 35 U.S.C. 
§ 102(b) as being anticipated by the Crandall patent, the January 
18, 2005, Office Action, on page 3, citing column 13, lines 18-30 
in the reference alleges that the Crandall patent's sender computes 
and transmits, as a plurality of sender's quantities : 

1. the ciphertext message C; and 

2. digital signature (u,P). 

Superficially, the January 18, 2005, Office Action's selection 
of the ciphertext message C and digital signature (u,P) to be the 
"plurality of sender's quantities" required by the third character- 
istic step of independent claims 1, 10, and 19 may initially appear 
plausible. However, that interpretation of the Crandall patent, 
employed for rejecting independent claims 1-27, relies upon 
portions of the Crandall patent's disclosure which extend entirely 
beyond the scope of claims 1-27 which are strictly limited to 
establishing the cryptographic key K. 
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Turning now to the text of the Crandall patent in column 13 at 
lines 18-30 cited in the Office Action, the reference states as 
follows . 

In operation, the sender and receiver generate a 
common one time pad for use as an enciphering and 
deciphering key in a secure transmission. The private 
key of the sender, ourPri, is provided to the elliptic 
multiplier 805, along with the sender's public key, 
theirPub 29 . The elliptic multiplier 805 computes an 
enciphering key e K from (ourPri) 0 (theirPub) (mod p) . The 
enciphering key is provided to the encryption/decryption 
means 803 , along with the plaintext message Ptxt . The 
enciphering key is used with an encrypting scheme, such 
as the DES scheme or the elliptic curve scheme of the 
present invention, to generate a ciphertext message C . 
The ciphertext message is transmitted to the receiver 802 
over a nonsecure channel 816" ! (Emphasis supplied.) 

First, Appellant observes that the preceding text describes 
only creating the ciphertext C and sending it to the receiver. 
That is, the preceding text fails to describe generating the 
digital signature (u,P). Consequently, Appellant respectfully 
submits that the Crandall patent's text identified in the January 
18, 2005, Office Action as disclosing the third characteristic 
step, in fact, fails to support the Office Action's allegation 
because the cited text fails to describe generating a digital 
signature (u,P) . 

Presumably, the January 18, 2005, Office Action's oversight 
identified in the preceding paragraph might be cured by an 



29 It appears that this text should correctly read '-'along 
with the oondcr 1 9 receiver ' s public key, theirPub." 
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additional citation to some text in the Crandall patent which 
discloses generating the digital signature (u,P). However, the 
problem described in detail below caused by selecting the 
ciphertext message C and the digital signature (u,P) to be the 
"plurality of sender's quantities" required by the third character- 
istic step is not so easily cured. 

The fifth characteristic step of independent claims 1, 10 and 
19 requires that at least some of the "plurality of sender's 
quantities" be used in computing the "cryptographic key K. " If it 
were possible for the receiver to compute the cryptographic key K 
using only the ciphertext message and signature , there exists 
nothing to prevent an eavesdropper from similarly computing the 
cryptographic key K 30 . Thus, the preceding allegation appearing in 
the January 18, 2005, Office Action, if adopted, renders the 
Crandall patent's cryptosystem nothing more than a failed experi- 
ment because it provides totally insecure communication. 

Stated in a slightly different way, both the Crandall patent's 
ciphertext message C and digital signature (u,P) are encrypted. If 
either or both of the ciphertext message and digital signature 
together with quantities available from the public source 813 



Presumably, an eavesdropper has access to: 

1. the public source 813; and 

2 . everything transmitted over the nonsecure channel 
816 including the ciphertext C and the digital 
signature (u, P) . 
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permit computing the receiver's cryptographic key K as alleged in 
the January 18, 2005, Office Action with respect to characteristic 
step 5, then encrypting the message and digital signature would be 
futile. In a cryptosystem which truly provides confidentiality it 
should be extremely difficult, preferably impossible, to compute 
the cryptographic key K from either or both the ciphertext message 
and digital signature, either with or without the assistance of 
publicly available quantities. Thus, interpretation 3 ' alleged in 
the January 18, 2005, Office Action renders the Crandall patent's 
disclosure useless for its intended purpose, i.e. providing secure 
cryptographic communication . 

Appellant respectfully submits that the January 18, 2005, 
Office Action's compromising security provided by the Crandall 
patent's cryptosystem by selecting the ciphertext message C and 
digital signature (u,P) to be the " plurality of sender's quanti- 
ties " required by the third characteristic step of independent 
claims 1, 10, and 19 and the requirement of the fifth characteris- 
tic step that the " plurality of sender's quantities " be used in 
computing the "cryptographic key K" further demonstrates that 
Appellant's communications, i.e. in this instance the claims of the 
patent application as originally filed and/or the Crandall patent, 
either are not being read, or are not being understood. 
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If for the preceding reason one were to reject the January 18, 
2005, Office Action's allegation that the "plurality of sender 1 s 
quantities" are: 

1. the ciphertext message C; and 

2. the digital signature (u,P); 

then the only other possibility is that the Crandall patent instead 
discloses that, using at least some of the plurality of public 
quantities , the sender computes and transmits to the receiver, via 
the public source 813, only a single quantity , ourPub . Further- 
more, in the same way as previously explained in connection with 
the receiver transmitting for storage in the public source 813 only 
a single quantity theirPub, the text of the Crandall patent 
expressly discloses that : 

1 - the sender stores only a single quantity , i.e. ourPub, into 
the public source 813; and 

2 . other quantities, i.e. the cryptosystem 1 s parameters, are 
stored into the public source 813 for both sender and receiv- 
er , apparently by a trusted third party. 

Using Interpretation 3 of the 
Crandall Patent, There Exists No 
Plurality of Sender's Quantities 
For Computing the Cryptographic Key K 

The fifth characteristic step of independent claims 1, 10 and 
19 requires that the receiving unit R use at least one of the 
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plurality of sender's quantities received from the sending unit S 
in computing the cryptographic key K . However, if contrary to the 
January 18, 2005, Office Action's allegation: 

1. the ciphertext message C; and 

2. the digital signature (u,P); 

are not the plurality of sender's quantities , then the only other 
thing which the sender computes and transmits in a way that permits 
access by the receiver is the sender's public quantity, i.e. 
ourPub. However, ourPub is a single quantity whereas the third and 
fifth characteristic steps of independent claims 1, 10 and 19 both 
require a "plurality of sender quantities." Thus, under interpre- 
tation 3 there does not exist the "plurality of sender quantities" 
required by independent claims 1, 10, and 19. 

A Cryptosystem' s Key 
Should Be Secure 

The fifth characteristic step of independent claims 1, 10 and 
19 requires that the receiving unit R use at least one of the 
plurality of sender's quantities received from the sending unit S 
in computing the cryptographic key K . If as alleged in the January 
18, 2005, Office Action the plurality of sender's quantities are: 

1. the ciphertext message C; and 

2. the digital signature (u,P); 
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and if the Crandall patent's cryptosystem truly provides confiden- 
tiality, then it is extremely difficult, preferably impossible, for 
the receiver to compute the cryptographic key K using at least one 
of the plurality of sender's quantities . In fact, if the Crandall 
patent's cryptosystem truly provides confidentiality then the 
receiver is in no better position than an eavesdropper, and, 
contrary to the January 18, 2005, Office Action's implicit 
allegation, to obtain the cryptographic key K , i.e. deciphering key 
d K , the receiver must therefore crack the Crandall patent's 
elliptic curve cryptosystem. 



Digital Signature Claims 
Are Patentable 



Independent digital signature claim 28 requires that the 

receiver retrieve a plurality of public quantities from a publicly 

accessible repository which the sending unit has previously stored 

there. In rejecting independent claim 28 the January 18, 2005, 

Office Action on page 10 alleges: 

the sending unit S transmits for storage in a publicly 

accessible repository a plurality of public quantities 

(Crandall: column 20 lines 15-24 

★ * * 

the receiving unit R ... : 

a. retrieving the plurality of public quantities from the 
publicly accessible repository (Crandall : column 17 
lines 1-50 (Emphasis supplied. ) 

The two texts from the Crandall patent identified above appear 
in the following excerpts. 
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A separate source 813 stores publicly known informa- 
tion, such as the public keys " our Pub " and " theirPub " of 
sender 1201 and receiver 1202, the initial point 
( x i / Y i) / the field Fp k , and curve parameter "a" . This 
source of information may be a published directory, an 
on-line source for use by computer systems, or it may 
transmitted between sender and receiver over a non- secure 
transmission medium. The public source 813 is shown 
symbolically connected to sender 12 01 through line 815 
and to receiver 12 02 and hasher 1206 through lines 814 
and 1218 respectively. (Col. 20, lines 15-24.) (Empha- 
sis supplied. ) 

★ * * 

1) Using the u part of the signature, compute the 
point 

Q = uMVD 

2) Compare the point Q to the point 

R = P + M (ciphertext , P) ° our Pub 

The signature is invalid if these elliptic points Q 
and R do not compare exactly. In other words, if the 
signature is authentic, the following must hold: 

u° (X^l) = P + M (ciphertext , P) ° our Pub 

Substituting for u on the left side of the equation 
above gives : 

(m + ourPri*M (ciphertext , P) ) ° (X^l) = 

P + M (ciphertext , P) °ourPub 

or : 

m°(X 1 /l) + (ourPri*M (ciphertext, P) ) 0 (X 1 /l) = 

P + M (ciphertext , P) ° our Pub 

Substituting for ourPub on the right side of the 
equation yields: 

m°(X 1 /l) + (ourPri*M (ciphertext, P) ) ° (X 1 /l) = 

P + M (ciphertext , P) °ourPri° (X 1 /l) 
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Since P = m° {X 1 /l) from above, the left side 
becomes : 

P + (ourPri*M(ciphertext, P) ) ° {X 1 /l) = 
P + M (ciphertext , P) °ourPri° (X 1 /l) 

Moving ourPri in the right side of the equation 
gives : 

P + ourPri*M (ciphertext, P) ) ° (X x /I) = 

P + ourPri*M (ciphertext , P) 0 (X 1 /l) 

Thus , a point on a curve is calculated via two 
different equations using the transmitted pair (u, P) . 

It can be seen that by calculating Q from the transmitted 
point u, and by calculating R from transmitted point P, 
the ciphertext message, and the public key of the 
purported sender, the digital signature is assumed 
authenticated when Q and R match . (Col . TT, lines 1-50) 
(Emphasis supplied. ) 

Regarding the first allegation that the Crandall patent 
discloses a sender which stores a plurality of quantities into the 
public source 813, previously in this Appeal Brief it has been 
irrefutably established that the text of the Crandall patent 
expressly discloses that : 

1 . the sender stores only a single quantity, i.e. ourPub, into 
the public source 813; and 

2 . other quantities, i.e. the cryptosystem 1 s parameters, are 
stored into the public source 813 for both sender and receiv- 
er , apparently by a trusted third party. 

Neither of the Crandall patent 1 s texts identified by the 
January 28, 2005, Office Action in rejecting independent claim 28 
contain anything which contradicts preceding facts nos. 1 and 2. 
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For these two reasons alone, independent digital signature claim 
28/ together with claim 2 9 depending therefrom, traverse rejection 
under 35 U.S.C. § 102(b) based upon the Crandall patent . 

Furthermore, since for reasons nos . 1 and 2 above the sender 
does not store a plurality of public quantities into the Crandall 
patent's public source 813 as expressly required by the text of 
independent digital signature claim 28, the receiver cannot 
retrieve from the public source 813 something which the sender has 
not stored there . For this second reason, independent digital 
signature claim 28, together with claim 29 depending therefrom, 
traverse rejection under 35 U.S.C. § 102(b) based upon the Crandall 
patent . 

Independent digital signature claim 28 also requires that the 
receiver use the digital signature , which the sending unit trans- 
mits together with message "M, " and the plurality of public quanti- 
ties , in evaluating expressions of at least two (2) different 
verification relationships . In rejecting independent claim 2 8 the 
January 18, 2005, Office Action on pages 10 and 11 alleges: 

the receiving unit R ... 

b. using the digital signature and the plurality of 
public quantities , evaluating expressions of at least two 
(2) different verification relationships (Crandall : 
column 17 lines 44-50: two different equations ) ( Empha - 
sis supplied . ) 
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Lines 44-50 in the Crandall patent cited in support of the 
preceding allegation appear in the immediately preceding excerpt 
from column 17. 

The text cited in the Crandall patent states that "a point on 

a curve is calculated via two different equations using the 

transmitted pair (u, P) . " The text of pending independent digital 

signature claim 28 expressly requires: 

using the digital signature and the plurality of public 
quantities, evaluating expressions of at least two (2) 
different verification relationships . 

The claims of a patent , which define the invention, are "to be 

construed in light of the specification and both are to be read 

with a view to ascertaining the invention . " United States v. 

Adams , 383 U.S. 39, 49, 148 USPQ 479, 482 (1966). (Emphasis 

supplied) In the terminology of the present application beginning 

on page 22 at line 14, computing the points Q and R constitutes 

evaluating expressions of a single verification relationship . 

Expressing the Crandall patent's disclosure in the terminology of 

the present application produces the following verification 

relationship . 

u° (X x /I) = Q R = P + M(ciphertext, P) °ourPub 
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The preceding verification relationship, which corresponds to the 
Crandall patent's disclosure in column 17, lines 1-50, requires 
evaluating only the two (2) following expressions. 
u°(X 1 /I) 

P + M (ciphertext , P) °ourPub 
For this third reason, independent digital signature claim 28, 
together with claim 2 9 depending therefrom, traverse rejection 
under 35 U.S.C. § 102(b) based upon the Crandall patent . 

Independent digital signature claim 28 further requires that 
the receiver compare pairs of results obtained by evaluating the 
expressions of the at least two (2) different verification 
relationships . In rejecting independent claim 28 the January 18, 
2005, Office Action on pages 10 and 11 alleges: 

the receiving unit R ... 

c. comparing pairs , of results obtained by evaluating the 
expressions of the at least two (2) different verifica- 
tion relationships (Crandall: column 17 lines 49-50: the 
digital signature is assumed authenticated when Q and R 
match) (Emphasis supplied.) 

Lines 49-50 in the Crandall patent cited in support of the 

preceding allegation appear in the immediately preceding excerpt 

from column 17. 

The text cited in the Crandall patent states that "the digital 
signature is assumed authenticated when Q and R match." The text 
of pending independent digital signature claim 28 expressly 
requires : 
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comparing pairs of results obtained by evaluating the 
expressions of the at least two (2) different verifica- 
tion relationships . 

Note first that the text of independent claim 28 requires "compar- 
ing pairs of results ... . " Thus, the text of independent 
claim 2 8 expressly requires comparing more that the single pair of 
results Q and R disclosed in the Crandall patent . 

Set forth below are the two verification relationships which 
appear in the present application on page 22 at line 19-22 recast 
to use the terminology of the Crandall patent. 

^ ^ ( ( (a . p) *n) a + a x p) . a x { a x a ) _ 

~£X- R- _ m a x (a x( a xa ) ) . p 
1 

2 ^ ( ( (a. p) *n) a + axp) . (a x ( a x <r ) ) x <r _ Q| ^ 

=5= R2 = m " (a * a J a x (a x ff) . p 

Clearly, the single "verification relationship" disclosed in the 
Crandall patent set forth above cannot anticipate the two (2) 
verification relationships disclosed in the present application and 
encompassed by independent digital signature claim 28. For this 
fourth reason, independent digital signature claim 28, together 
with claim 2 9 depending therefrom, traverse rejection under 35 
U.S.C. § 102(b) based upon the Crandall patent . 
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Conclusion 

The text of the Crandall patent expressly discloses that: 
1 ■ the receiver stores only a single quantity, i.e. theirPub, 
into the public source 813 31 ; 

2 . the sender stores only a single quantity, i.e. ourPub, into 
the public source 813 32 ; and 

3 . other quantities, i.e. the Crandall patent cryptosystem 1 s 
parameters, are not stored into the public source 813 by 
either the receiver or the sender, but are rather stored for 
both sender and receiver , apparently by a trusted third 
party 33 . 

Since independent cryptographic key K claims 1, 10 and 19, 
together with, all claims depending therefrom, stand finally 
rejected as being anticipated under 35 U.S.C. § 102(b) by the 
Crandall patent, for reasons set forth above claims 1-27 traverse 
the rejection based solely upon facts nos. 1 and 3 above . 

Since independent digital signature claim 28 and claim 29 
depending therefrom stand finally rejected as being anticipated 



32 



33 



See the Crandall patent at col. 8, lines 8-23. 
Id. 

See the Crandall patent: 

1. col. 7, lines 30-31 which expressly states that 
" parameters are established for both sender and 
recipient " (receiver) ; and 

2. col. 16, lines 15-24. 
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under 35 U.S.C. § 102(b) by the Crandall patent, for reasons set 
forth above claims 2 8 and 2 9 traverse the rejection based solely 
upon facts nos. 2 and 3 above . 

Furthermore, for reasons explained in greater detail . above 
independent cryptographic key K claims 1, 10 and 19, together with 
all claims depending therefrom, also traverse rejection under 35 
U.S.C. § 102(b) because the Crandall patent also: 

1. either: 

a. fails to disclose the sending unit S using at least some 
of the plurality of public quantities in computing and 
transmitting to the receiving unit R a plurality of 
sender's quantities ; or 

b. relies upon portions of the Crandall patent's disclosure 
lying beyond the scope of the pending claims which encom- 
pass only establishing a cryptographic key K; and 

2. either: 

a. fails to disclose the receiving unit R using at least one 
of the plurality of sender's quantities received from the 
sending unit S in computing the cryptographic key K ; or 

b. discloses a cryptosystem that provides no security . 

Furthermore, for reasons explained in greater detail above 
independent digital signature claim 2 8 and claim 2 9 depending 
therefrom traverse rejection under 35 U.S.C. § 102(b) because the 
Crandall patent also fails to disclose: 

-37- 

Docket no. 2174 October 5, 2005 



Appl. No. 09/655,229 

Response Dated October 5, 2005 

Appeal of Office Action dated January 18, 2005 

1. the receiver retrieving from the public source 813 a plurality 
of quantities which the sender has stored there; 

2. the receiver evaluating expressions of at least two (2) 
different verification relationships; and 

3. comparing pairs of results obtained by evaluating the expres- 
sions of the at least two (2) different verification relation- 
ships . 

For all the various reasons set forth above, the Board of 
Appeal must overrule the rejections of claims 1-29 appearing in the 
Examiner's Action dated January 18, 2 005, and order that this 
application pass to issue. 




D&nald E. Schreib 
Reg. No. 29,435 




Donald E. Schreiber 
A Professional Corporation 
Post Office Box 2926 
Kings Beach, CA 96143-2926 



Telephone : (530) 546-6041 



Attorney for Appellant 
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CLAIMS APPENDIX 

1. In a protocol for cryptographic communication via a 
communication channel "I" in which a sending cryptographic unit 
"S" transmits onto the communication channel I an encrypted 
cyphertext message "M" obtained by supplying both a plaintext 
message "P" and a cryptographic key "K" to a first cryptographic 
device, and in which a receiving cryptographic unit "R" receives 
the cyphertext message M from the communication channel I and by 
supplying the cyphertext message M together with the key K to a 
second cryptographic device decrypts the plaintext message P 
therefrom, a method by which the units S and R mutually establish 
a cryptographic key K by first exchanging messages before the 
sending unit S transmits the cyphertext message M comprising the 
steps of : 

a. the receiving unit R transmitting for storage in a 
publicly accessible repository a plurality of public 
quantities ; 

b. the sending unit S: 

i. retrieving the plurality of public quantities from 
the publicly accessible repository; 

ii. using at least some of the plurality of public 
quantities, computing and transmitting to the 
receiving unit R a plurality of sender's quanti- 
ties; and 
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iii. using at least one of the plurality of public 
quantities, computing the key K; and 
c. the receiving unit R, using at least one of the plural- 
ity of sender f s quantities received from the sending 
unit S computing the key K. 

2. The method of claim 1 wherein the receiving unit R, in 
storing the plurality of public quantities into the publicly 
accessible repository : 

i. selects at least one receiver's secret quantity; 

ii. selects for storage in the publicly accessible 
repository as part of the plurality of public 
quantities at least one selected public quantity; 
and 

iii. using the receiver's secret quantity and the at 
least one selected public quantity, computes and 
stores in the publicly accessible repository as 
part of the plurality of public quantities a plu- 
rality of computed public quantities. 

3. The method of claim 2 wherein the plurality of public 
quantities include a plurality of vectors. 
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4 . The method of claim 2 wherein the at least one selected 
public quantity includes a vector. 

5. The method of claim 2 wherein the plurality of computed 
public quantities include a plurality of vectors. 

6. The method of claim 2 wherein the sending unit S, in 
computing the plurality of sender's quantities for transmission 
to the receiving unit R: 

i. selects a sender's secret quantity; and 
5 ii. using the sender's secret quantity and at least 

some of the retrieved plurality of public quanti- 
ties, computes for transmission to the receiving 
unit R the plurality of sender's quantities. 

7. The method of claim 6 wherein the plurality of sender's 
quantities include a plurality of vectors. 

8. The method of claim 1 wherein the sending unit S, in 
computing the plurality of sender's quantities for transmission 
to the receiving unit R: 

i. selects a sender's secret quantity; and 
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ii. using the sender's secret quantity and at least 

some of the retrieved plurality of public quanti- 
ties, computes for transmission to the receiving 
unit R the plurality of sender's quantities. 

9. The method of claim 8 wherein the plurality of sender's 
quantities include a plurality of vectors. 

10. A system adapted for communicating as an encrypted 
cyphertext message M a plaintext message P that has been encoded 
using a cryptographic key K, the system comprising: 

a. a communication channel I adapted for transmitting the 
cyphertext message M; 

b. a pair of transceivers that are coupled to said commu- 
nication channel I, and that are adapted for communi- 
cating the cyphertext message M from one transceiver to 
the other transceiver via said communication channel I; 
and 

c. a pair of cryptographic units each of which is respec- 
tively coupled to one of said transceivers for trans- 
mitting the cyphertext message M thereto or receiving 
the cyphertext message M therefrom, each cryptographic 
unit : 
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i. when the cryptographic unit is to receive the 
cyphertext message M: 

(1) storing plurality of public quantities in a 
publicly accessible repository; 

(2) receiving via the communication channel I a 
plurality of sender's quantities from a send 
ing cryptographic unit, and using at least 
one of the plurality of sender's quantities 
in computing the key K; and 

ii. when the cryptographic unit is to send the 
cyphertext message M, retrieving the plurality of 
public quantities from the publicly accessible 
repository and using: 

(1) at least some of the plurality of public 
quantities in computing the plurality of 
sender's quantities which the sending crypto 
graphic unit transmits via the communication 
channel I to the receiving cryptographic 
unit; and 

(2) at least one of the plurality of public quan 
titles in computing the key K; and 

iii. including a cryptographic device having: 
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(1) a key input port for receiving the key K from 
the cryptographic unit; 

(2) a plaintext port: 

(a) for accepting the plaintext message P 
for encryption into the cyphertext mes- 
sage M that is transmitted from the 
cryptographic device, and 

(b) for delivering the plaintext message P 
obtained by decrypting the cyphertext 
message M received by the cryptographic 
device; and 

(3) a cyphertext port that is coupled to one of 
said transceivers: 

(a) for transmitting the cyphertext message 
M to such transceiver, and 

(b) for receiving the cyphertext message M 
from such transceiver. 



11. The system of claim 10 wherein said cryptographic unit 
which receives the cyphertext message M in storing the plurality 
of public quantities into the publicly accessible repository: 

(a) selects at least one receiver's secret quantity; 
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(b) selects for storage in the publicly accessible 
repository as part of the plurality of public 
quantities at least one selected public quantity; 
and 

(c) using the receiver's secret quantity and the at 
least one selected public quantity, computes and 
stores in the publicly accessible repository as 
part of the plurality of public quantities a plu- 
rality of computed public quantities. 

12. The system of claim 11 wherein the plurality of public 
quantities include a plurality of vectors. 

13. The system of claim 11 wherein the at least one select- 
ed public quantity includes a vector. 

14. The system of claim 11 wherein the plurality of comput- 
ed public quantities include a plurality of vectors. 

15. The system of claim 11 wherein the sending cryptograph- 
ic unit, in computing the plurality of sender's quantities for 
transmission to the receiving cryptographic unit:: 

i. selects a sender's secret quantity;; and 

-7- 
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ii. using the sender's secret quantity and at least 

some of the retrieved plurality of public quanti- 
ties, computes for transmission to the receiving 
cryptographic unit the plurality of sender's quan- 
tities . 

16. The system of claim 15 wherein the plurality of 
sender's quantities include a plurality of vectors. 

17. The system of claim 10 wherein the sending cryptograph- 
ic unit, in computing the plurality of sender's quantities for 
transmission to the receiving cryptographic unit: 

i. selects a sender's secret quantity;; and 

ii. using the sender's secret quantity and at least 
some of the retrieved plurality of public quanti- 
ties, computes for transmission to the receiving 
cryptographic unit the plurality of sender's quan- 
tities . 

18. The system of claim 17 wherein the plurality of 
sender's quantities include a plurality of vectors. 
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19. A cryptographic unit adapted for inclusion in a system 
for communicating as an encrypted cyphertext message M a 
plaintext message P that has been encoded using a cryptographic 
key K, the system including: 
5 a. a communication channel I adapted for transmitting the 

cyphertext message M; and 
b. a pair of transceivers that are coupled to said commu- 
nication channel I, and that are adapted for communi- 
cating the cyphertext message M from one transceiver -to 
10 the other transceiver via said communication channel I; 

the cryptographic unit being adapted for coupling to said trans- 
ceivers for transmitting the cyphertext message M thereto or 
receiving the cyphertext message M therefrom, and comprising: 
a. ports: 

15 i. when the cryptographic unit is to receive the 

cyphertext message M, for: 

(1) storing plurality of public quantities in a 
publicly accessible repository; 

(2) receiving via the communication channel I a 
20 plurality of sender's quantities from a send- 
ing cryptographic unit, and using at least 
one of the plurality of sender's quantities 
in computing the key K; and 
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ii. when the cryptographic unit is to send the 
25 cyphertext message M, for retrieving the plurality 

of public quantities from the publicly accessible 
repository and using: 

(1) at least some of the plurality of public 
quantities in computing the plurality of 

30 sender's quantities which the sending crypto- 

graphic unit transmits via the communication 
channel I to the receiving cryptographic 
unit; and 

(2) at least one of the plurality of public quan- 
35 tities in computing the key K; and 

b. a cryptographic device having: 

i. a key input port for receiving the key K from the 
cryptographic unit; 

ii. a plaintext port: 

40 (1) for accepting the plaintext message P for 

encryption into the cyphertext message M that 
is transmitted from the cryptographic device, 
and 

(2) for delivering the plaintext message P ob- 
45 tained by decrypting the cyphertext message M 

received by the cryptographic device; and 

-10- 
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ii. a cyphertext port that is coupled to one of said 
transceivers : 

(1) for transmitting the cyphertext message M to 
such transceiver, and 

(2) for receiving the cyphertext message M from 
such transceiver. 

20. The cryptographic unit of claim 19 wherein, when 
receiving the cyphertext message M, in storing the plurality of 
public quantities into the publicly accessible repository: 

(a) selects at least one receiver's secret quantity; 

(b) selects for storage in the publicly accessible 
repository as part of the plurality of public 
quantities at least one selected public quantity; 
and 

(c) using the receiver's secret quantity and the at 
least one selected public quantity, computes and 
stores in the publicly accessible repository as 
part of the plurality of public quantities a plu- 
rality of computed public quantities. 

21. The cryptographic unit of claim 20 wherein the plurali- 
ty of public quantities include a plurality of vectors. 

-11- 
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22. The cryptographic unit of claim 20 wherein the at least 
one selected public quantity includes a vector. 

23. The cryptographic unit of claim 20 wherein the plurali- 
ty of computed public quantities include a plurality of vectors. 

24. The cryptographic unit of claim 20, when sending the 
cyphertext message M, in computing the plurality of sender's 
quantities for transmission to the receiving cryptographic unit: 

i. selects a sender's secret quantity; and 
5 ii. using the sender's secret quantity and at least 

some of the retrieved plurality of public quanti- 
ties, computes for transmission to the receiving 
cryptographic unit the plurality of sender's quan- 
tities . 

25. The cryptographic unit of claim 24 wherein the plurali- 
ty of sender's quantities include a plurality of vectors. 

26. The cryptographic unit of claim 19 wherein, when 
sending the cyphertext message M, in computing the plurality of 
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sender's quantities for transmission to the receiving crypto- 
graphic unit : 

5 i. selects a sender's secret quantity; and 

ii. using the sender's secret quantity and at least 

some of the retrieved plurality of public quanti- 
ties, computes for transmission to the receiving 
cryptographic unit the plurality of sender's quan- 
10 titles. 

27. The cryptographic unit of claim 26 wherein the plurali- 
ty of sender's quantities include a plurality of vectors. 

28. In a protocol for communication in which a sending unit 
S transmits onto the communication channel I a message "M" 
together with a digital signature, and, wherein before transmit- 
ting the message M and the digital signature, the sending unit S 

5 transmits for storage in a publicly accessible repository a 
plurality of public quantities, a method by which a receiving 
unit R that receives the message M and the digital signature 
verifies the authenticity of digital signature comprising the 
steps performed by the receiving unit R of: 
10 a. retrieving the plurality of public quantities from the 

publicly accessible repository; 
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b. using the digital signature and the plurality of public 
quantities, evaluating expressions of at least two (2) different 
verification relationships; and 
15 c. comparing pairs of results obtained by evaluating the 

expressions of the at least two (2) different verification 
relationships . 

29. The method of claim 28 wherein the plurality of public 
quantities include a plurality of vectors. 
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EVIDENCE APPENDIX 



United States Patent No. 5,804,703 

Method and Apparatus for Digital Signature Authentication 

Evidence entered by Examiner on "Information Disclosure by 

Applicant" PTO/SB/08A Form which accompanied a March 8, 
2004, Office Action. 
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RELATED PROCEEDINGS APPENDIX 



Appellant is unaware of any presently pending appeal 
or interference that is related to this appeal. 



